Vulnerability Name:

CVE-2022-40897 (CCN-243028)

Assigned:2022-12-21
Published:2022-12-21
Updated:2023-05-01
Summary:Pypa Setuptools is vulnerable to a denial of service, caused by improper input validation. By sending request with a specially crafted regular expression, an remote attacker could exploit this vulnerability to cause a denial of service.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-40897

Source: XF
Type: UNKNOWN
pypa-cve202240897-dos(243028)

Source: CCN
Type: PyPI Web site
pypa/setuptools: Official project repository

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Release Notes, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: UNKNOWN
cve@mitre.org

Source: cve@mitre.org
Type: UNKNOWN
cve@mitre.org

Source: CCN
Type: PyUp Web site
PyUp Discovers ReDoS Vulnerabilities in Top Python Packages

Source: cve@mitre.org
Type: Exploit, Patch, Technical Description, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: UNKNOWN
cve@mitre.org

Source: CCN
Type: SNYK-CENTOS7-PYTHONSETUPTOOLS-3226998
Incorrect Regular Expression

Source: CCN
Type: SNYK-RHEL8-PLATFORMPYTHONSETUPTOOLS-3226775
Incorrect Regular Expression

Source: CCN
Type: IBM Security Bulletin 6857265 (Spectrum Protect Plus File Systems Agent)
Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)

Source: CCN
Type: IBM Security Bulletin 6958142 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897)

Source: CCN
Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent)
Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 6966084 (Maximo Application Suite)
Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency

Source: CCN
Type: IBM Security Bulletin 6983222 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Pypa Setuptools

Source: CCN
Type: IBM Security Bulletin 6986323 (MQ Operator)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol

Source: CCN
Type: IBM Security Bulletin 6988077 (Speech to Text for Cloud)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Pypa Setuptools (CVE-2022-40897)

Source: CCN
Type: IBM Security Bulletin 6989203 (Maximo Application Suite)
Setuptools is vulnerable to CVE-2022-40897 used in IBM Maximo Application Suite - Monitor Component

Source: CCN
Type: IBM Security Bulletin 6999327 (Qradar Advisor)
IBM QRadar Advisor With Watson App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7004661 (Cloud Object Storage System)
Vulnerabilities with OpenSSL, Apache HTTP Server, Python affect IBM Cloud Object Storage Systems (June 2023v1)

Source: CCN
Type: IBM Security Bulletin 7005455 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005551 (Robotic Process Automation)
A vulnerability in Pypa Setuptools may affect IBM Robotic Process Automation for Cloud Pak and result in a denial of service (CVE-2022-40897)

Source: CCN
Type: IBM Security Bulletin 7011035 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Python

Source: CCN
Type: IBM Security Bulletin 7014453 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897]

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:9::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_application_suite:8.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:23.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20230952
    P
    		RHSA-2023:0952: python-setuptools security update (Moderate)
    2023-02-28
    oval:com.redhat.rhsa:def:20230835
    P
    		RHSA-2023:0835: python-setuptools security update (Moderate)
    2023-02-21
    oval:org.opensuse.security:def:51986
    P
    		Security update for python-setuptools (Moderate)
    2023-01-26
    BACK
    ibm robotic process automation 21.0.0
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm maximo application suite 8.8
    ibm app connect enterprise certified container 6.1
    ibm robotic process automation 23.0.0
    ibm app connect enterprise certified container 6.2
    ibm robotic process automation 23.0.3